Can't start winlogbeat as service


I experienced the following error when trying to start winlogbeat as a service:

Windows could not start the winlogbeat service on Local Computer. Error 1053: The service did not respond to the start or control request in a timely fashion.

I Installed the service using "-ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1."
It said it installed successfully, but then fails to start with the above error.

I tested my config using ".\winlogbeat.exe test config -c .\winlogbeat.yml -e -v", and was able to successfully publish events to logstash using SSL.

The issue I was having was due to a relative path in the ssl section of the logstash certificates:

certificate_authorities: ["logstash-forwarder.crt"]

When I tried entering the absolute path using double quotes like so:

certificate_authorities: ["C:/ProgramData/winlogbeat/logstash-forwarder.crt"]

The configtest failed with the error "yaml: lin 109: found enknown escape character"
The simplest solution I found to this issue was to use single quotes instead of double:

certificate_authorities: ['C:/ProgramData/winlogbeat/logstash-forwarder.crt]

This solution then passed the config test and was also able to run in the background with 'Start-Service winlogbeat"

Hopefully my struggles and frustration can be used to help someone else in a similar situation.
It would be nice if elastic could add the following to the documentation for SSL with logstash on winlogbeat:

  1. Reiterate the need for an absolute path in order to start winlogbeat as a service
  2. Include the need for single quotes to work with escape characters in windows paths i.e. 'C:/Program Files/...' (The documentation examples are currently set up with linux paths and double quotes i.e. "/etc/pki/tls/....", which is not helpful for winlogbeat/Windows)

(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.